Can cybersecurity profit from corporate self-interest?

By William Jackson

Mar 09, 2012

A panel of telecom industry executives made a strong plea to Congress during a recent hearing that cybersecurity regulation would stifle innovation and could actually make their networks less secure. Market forces, they said, will protect them much better.

But current events show that relying exclusively on market forces as an incentive for securing networks, coupled with an insistence that all regulation is bad for security, does a disservice to those who rely on this critical infrastructure. Not only are the networks themselves vulnerable to attack, but they also are channels for delivering attacks to enterprises, IT systems and end users around the world.

AT&T CSO Edward Amoroso was the staunchest opponent of regulation to testify before the House Energy and Commerce subcommittee on Communications and Technology on March 7.

“Overbroad regulation and certification requirements will likely have unintended consequences, such as emphasizing the status quo by focusing on yesterday’s challenges,” he said. “An overly prescriptive approach can only serve to stifle Internet innovation and the technology leadership of the United States in the global information infrastructure. Quite simply, innovation is inconsistent with standardization.”

That is a strange attitude in an industry that has thrived as a direct result of standardization; in which standardization has resulted in innovations almost unimaginable a few years ago, such as wireless pocket-sized computers that dwarf the power of original desktop PCs.

But just as strange is Amoroso’s statement that “we are being out-innovated by our adversaries,” and that AT&T is confronted with malware “so good and so well-crafted that we marvel at how far our adversaries have come.”

Why are we being out-innovated?

If market forces are all that are needed to compel companies to defend their networks, how is it that the telecom industry, which is fettered by no cybersecurity regulation, is being out-innovated by its adversaries?

If commercial self-interest is the only incentive necessary for cybersecurity, why is the security of privately owned critical infrastructure an issue today? Why is Congress considering regulation?

“Burdening the private sector with the cost of unnecessary and ineffective regulations and processes . . . will only slow advances in cybersecurity,” Amoroso said.

But he is being disingenuous when he refuses to consider the possibility of necessary and effective regulation.

It would be wrong to dismiss out of hand the industry’s argument that commercial self-interest is an incentive for effectively securing its networks. It obviously is, to some extent. And it would be wrong to dismiss industry calls for better information sharing within the industry and between the private sector and government. Cooperation between the stakeholders is necessary and is today inadequate, although improving.

It also is true that a company can be doing a good job at security and still remain open to breaches. Absolute security is impossible, after all, and the presence of a vulnerability does not necessarily mean that an organization has ignored or failed at security.

But it also is wrong to ignore the fact that the security of the nation's critical infrastructure currently is inadequate, that commercial self-interest provides only limited incentive for security investments to a company that is dedicated to producing a profit for shareholders, and that the government has a legitimate interest in the security of the infrastructure that is critical to our economy and safety.

The government can protect that interest in two ways: By directly monitoring and defending privately owned networks, which probably is unwise, or by exercising responsible oversight with targeted and effective regulation that sets baselines for securing critical infrastructure. Such regulation would not be burdensome. Indeed, if a company already is doing everything it can to protect itself, it would not even notice such regulation.